[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
[PLUG] Open source risk issue
Here is an article from the
latest Linux Pipeline newsletter which discusses the problem of
presumed open source code that later turns out to have been
proprietary. The author proposes two solutions that puts the onus on
the recipient of the code -- I think that is wrong. Law rarely
changes solely because of the public interest. It is only when money
interests happen to coincide with the public's that good things happen.|
That is the origin of the two legal principles of the ¨Buyer in the
Ordinary Course of Business¨ (BuyOCOB) and the ¨Holder in Due Course¨
(HDC). The former protects the buyers of seemingly legitimate products
that ultimately turn out to be stolen, and the latter protects those
who unwittingly pass on bad checks.
To be a BuyOCOB, you have to have purchased the thing from a ¨Dealer in
goods of that Kind¨ (DIGOTK). Buying a Rolex from a smelly guy in the
subway won't get you BuyOCOB status, but buying from an [unknown to
you] unscrupulous storefront at 8th & Sansom will. Without the
BuyOCOB rule, commerce freezes -- not just for wary buyers, but for
legitimate dealers and middlemen also. One should not have to worry every
time they buy something that the seller has the right to sell it.
The HDC rule is from older times when checks and other commercial paper
were often bought and sold numerous times before cashed. At this
point, the rule is used most often by check cashing agencies and
holders of bearer bonds. (Note on the monied interest point: a HDC has
rights against the original check writer -- not the bank it was drawn
The better solution to the purloined code issue is to adopt a
BuyOCOB-type rule rather than putting the burden on the innocent code
recipient. This promotes open source development and assures users of
open source software that they are not at risk for doing so.
The only reason it doesn't now apply to open source software is that
the software is normally free, so the user is not a buyer.
Nonetheless, it satisfies the monied interests because it is only when
large businesses feel safe using open source software that they will
use it on a large scale.
[sorry for the HTML, but I thought the original article read
better in its original format.]
EDITOR'S NOTE: Manageable Problem
We can expect chowderheads both inside and outside the Linux community
to make a big deal out of today's top story.
service provider named Furthermore claims an open-source project got a
hold of some of its proprietary code and released the code as open
source. Since then, several companies have included Furthermore
code in their own projects, the company claims.
Open source opponents ( *koff* Microsoft *koff*) are sure to jump on
this story triumphantly, as proof of the superiority of proprietary
Some open source advocates will respond by screwing their fingers in
their ears and sing, loudly, "La la la la la la there's no problem here
la la la." Some of these advocates will take their fingers out of their
ears long enough to write nasty e-mail to Linux Pipeline. Some of them
are already writing hate mail to Furthermore.
In fact (1) there is a problem here but (2) it's manageable.
The problem is this: If you're a proprietary software developer, what
do you do if you believe your code was wrongly released as open source?
Right now, the only solution is to try to track down everyone who used
the code and get them to pay you for it. If that doesn't work, sue
everybody who'll stand still long enough to be served with papers.
Likewise, if you're a user, how do you make sure that code advertised
as open source is, in fact, legitimate? You don't want to run the
business on open source, only to have someone knock on the door months
or years later and tell you the software isn't open source after all,
and you need to pay up. That can be a real day-ruiner, as well as
leading to a career change from information technology to the glamorous
world of waste disposal (e.g., picking up waste paper in the park with
a big, pointy stick).
These are legitimate problems. They are also on their way to being
company called Open Source Risk Management reviews code in open-source
projects to certify their legitimacy, and will insure open-source users
and developers against claims of intellectual property theft.
Also, Pamela Jones, author of the popular Groklaw
blog, is working on Grokline,
a collaborative project to document the intellectual property ownership
of Unix and Unix-like code.
According to the project home page, Grokline is "designed to carefully
trace the ownership history of UNIX and UNIX-like code with the goal of
reducing, or eliminating, the amount of software subject to
superficially plausible but ultimately invalid copyright, patent and
trade secret claims against Linux or other free and open source
software. If there is any code out there that represents a conceivable
risk of that kind, we'd like to identify it and mitigate the litigation
risk now. If there isn't any valid claim that can be made, we'd like to
be able to prove it."
Grokline and the OSRM efforts come as open source faces increasing
pressures from private intellectual property concerns. OSRM
identified 283 patents that could pose a threat to Linux, including two
dozen owned by Microsoft.
while support from big companies like IBM and Novell has been a benefit
for Linux, those companies have their own agendas, which may not always
be in alignment with the open-source community.
And of course there's the SCO lawsuit. 'Nuff said about that.
Threats by proprietary vendors who believe their intellectual property
rights were infringed are a problem for the open-source community--but
the problem is manageable. We'll bring you more news about the
open-source community's protections against intellectual property
claims in coming weeks.
By the way, earlier I wrote about hate mail, and I have to say I'm
disappointed with you all. It used to be whenever we ran something
critical of Linux or open source, we could count on at least a
half-dozen nasty, expletive-filled diatribes in e-mail. But now the
nastygrams have slowed to a trickle, and the ones we do get are the
more-in-sorrow-than-in-anger kind ("I used to have a lot of respect for
your opinions, Mr. Wagner, but now I have to say I am gravely
Hop to it, people! You're letting me down! I want to see some real
psycho screeds in my in-box by tomorrow--the kind of stuff that makes
me want to hire bodyguards! Work yourselves up to a self-righteous rage
and get to work!
Editor, Linux Pipeline
Arthur S. Alexion LLC
arthur [at] alexion [dot] com
sms: 2679725536 [at] messaging [dot] sprintpcs [dot] com
PGP fingerprint: 52A4 B10C AA73 096F A661 92D2 3B65 8EAC ACC5 BA7A
The attachment -- signature.asc -- is my electronic signature; no need for alarm.
Info @ http://mysite.verizon.net/art.alexion/encryption/signature.asc.what.html
Key for signed PDFs available at
The validation string is TTJY-ZILJ-BJJG.
Description: OpenPGP digital signature